The system is called Cryptographic Attestation of Personhood and it will be able to authenticate logins to websites by using physical USB keys
NEW DELHI :
Popular web infrastructure provider Cloudflare has unveiled a way to eliminate CAPTCHAs from the Internet. The company, which is known for providing websites protection from distributed denial of service (DDoS) attacks, wants to use USB security keys to do the same, using a method it calls the Cryptographic Attestation of Personhood. Cloudflare provides content delivery network (CDN) services for a large number of websites (some estimates say it owns over 80% market share) in the world, making it uniquely poised to bring such a system to the mainstream.
CAPTCHA, or Completely Automated Public Turing test to tell Computers and Humans Apart, is a common way for websites to validate logins at the moment. It usually appears in the form of words that you have to write down, or pictures you have to click on, to prove that you are a real human and not a bot/computer.
With Cloudflare’s new system, users will be able to authenticate logins to websites by using physical USB keys, though the company is yet to add support for most hardware right now. “The short version is that your device has an embedded secure module containing a unique secret sealed by your manufacturer. The security module is capable of proving it owns such a secret without revealing it. Cloudflare asks you for proof and checks that your manufacturer is legitimate," the company said in a blog post explaining how the system works.
“Cryptographic Attestation of Personhood relies on Web Authentication (WebAuthn) Attestation. This is an API (application programming interface) that has been standardized at the W3C (world wide web consortium) and is already implemented in most modern web browsers and operating systems. It aims to provide a standard interface to authenticate users on the web and use the cryptography capability of their devices," said the blog post. It said the system will work with all browsers on iOS 14.5, Windows, macOS and uBuntu, and Chrome for Android 10 or later.
The company has set up an example website—cloudflarechallenge.com—where you can try the system out. Users will just have to click on a button asking them to prove they’re human, which leads the browser to prompt for a USB key or even the device’s own authentication system (fingerprint or face ID). Cloudflare says it has tested the service with YubiKeys, HyperFIDO keys and Thetis FIDO U2F keys right now, and that the system will take five seconds to beat, with at most three clicks at a time.